Shulou(Shulou.com)11/24 Report--

CTOnews.com, March 20 / PRNewswire-Asianet /-- Markup, a screenshot editing tool included in Google Pixel phones, has been exposed to a security flaw that may cause some edited screenshots to be restored, thus exposing private information that users want to hide. The vulnerability was first revealed by reverse engineers Simon Aaarons and David Buchanan, and Google fixed it in a security update in March, but screenshots shared by users before this update are still risky.

According to an Aaarons post on Twitter, the vulnerability, known as "aCropalypse", allows partial restoration of screenshots edited with Markup in PNG format. For example, it is possible for users to use the tool to cut or smear their name, address, credit card number or any other private information, and lawbreakers can take advantage of this vulnerability to obtain private information that users thought had been hidden.

Aaarons and Buchanan explain that the vulnerability exists because Markup saves the original screenshot in the same file location as the edited screenshot and never deletes the original version.

According to Buchanan, the vulnerability first appeared about five years ago, when Google introduced Markup in the Android 9 Pie update at about the same time. This makes the situation worse because old screenshots edited with Markup and shared on social media platforms can be risky.

According to CTOnews.com, while some sites (including Twitter) reprocess images uploaded to the platform and remove vulnerabilities, others (such as Discord) do not. Discord did not fix the vulnerability until January 17, which means that screenshots shared on the platform before then are still at risk, and it is not clear whether there are any other affected sites or apps.

An example released by Aaarons (above) shows an edited credit card image that obscures the card number with the black pen of the Markup tool. When Aaarons downloads the image and exploits the aCropalypse vulnerability, the top of the image becomes corrupted, but he can still see what has been edited out in Markup, including the credit card number.

Google has fixed the vulnerability in its security update in March and classified it as "high". This update currently applies to models such as Pixel 4a, 5a, 7 and 7 Pro, which means that Markup may still produce vulnerable images on some Pixel devices. It is unclear when Google will push the patch to other Pixel devices.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.